Kaspersky has warned of a new malware that hides itself as video game mods and cheats for popular titles like Roblox and GTAV and targets crypto wallets.
Dubbed “Stealka,” the new infostealer can “hijack accounts, steal cryptocurrency, and install a crypto miner on their victims’ devices,” Kaspersky warned in a recent blog post.
“Most frequently, this infostealer disguises itself as game cracks, cheats and mods,” it added.
For those unaware, infostealers are a category of malware that allows bad actors to extract confidential information from a victim’s device and send it to a remote server.
In the past, crypto users have been consistently targeted using this attack vector, often through a variety of disguised applications, websites, and installer packages.
How does Stealka target crypto users?
According to the cybersecurity firm, cybercriminals are distributing Stealka across legitimate platforms like GitHub, SourceForge, and Google Sites, where they are uploaded as cracked software and mods for popular games and applications.
Since these platforms have a reputation for trustworthiness and host a large open-source and gaming community, it give the attackers a convenient way to reach a broad number of unsuspecting users.
The malware activates once a user downloads the malicious file and runs it on their system.
Kaspersky estimates that the campaign has been active since at least November 2025, and instances of the malware have been found imitating various popular apps and games. See below.
“Sometimes, however, attackers go a step further (and possibly use AI tools) to create entire fake websites that look quite professional. Without the help of a robust antivirus, the average user is unlikely to realize anything is amiss,” Kaspersky added.
However, it noted that some of these fake sites may have subtle signs, such as mismatched product names or odd descriptions in the form of exaggerated claims that don’t match the actual software being offered.
In some instances, these malicious websites also pretend to scan files using logos of antivirus vendors to assure users that the downloads are safe, but in reality, it’s just a cheap tactic to trick them into lowering their guard.
“Of course, no such scanning actually takes place; the attackers are merely trying to create an illusion of trustworthiness,” Kaspersky said.
Once installed, Stealka targets data from browsers developed on Chromium and Gecko engines, two of the most widely used platforms that form the foundation for many popular browsers including Chrome, Firefox, Opera, Yandex Browser, Edge, Brave, among others.
From there on, it can steal autofill data such as sign-in credentials, saved addresses, and payment card details.
Kaspersky also found that the malware can target the settings and databases of 115 browser extensions for crypto wallets, including Binance, Coinbase, Crypto.com, SafePal, Trust Wallet, MetaMask, and others, alongside two-factor authentication services like Authy and Google Authenticator.
Notably, at least 80 wallet applications may be at risk, as wallet configuration data contains sensitive details like private keys, seed-phrase data, wallet file paths, and encryption parameters, Kaspersky said.
How to keep your crypto assets safe
To prevent Stealka and similar malware from compromising user data, Kaspersky advises using reliable antivirus software and urges users to avoid pirated software and unofficial game mods.
As an added safety measure, Kaspersky urges users to avoid storing sensitive information in browsers.
The attack vectors used by infostealers to target crypto users are constantly evolving, which makes threats like these especially concerning.
For instance, last month, cybersecurity research team SpiderLabs uncovered a major campaign that promoted the Eternidade Stealer using complex social engineering tactics to deploy malware across WhatsApp.
Back in September, ModStealer, another stealthy infostealer, was found to be targeting cryptocurrency wallets across Windows, Linux, and macOS while evading major antivirus engines.
The post Kaspersky flags malware posing as Roblox and GTAV mods to steal crypto data appeared first on Invezz
